Client certificates options in ydb cli (ydb-platform#8406)

Author: UgnineSirdis

ydb/apps/dstool/lib/common.py

@@ -219,7 +219,8 @@ def add_host_access_options(self, parser, with_endpoint=True):
         g.add_argument('--grpc-port', type=int, default=2135, metavar='PORT', help='GRPC port to use for procedure invocation')
         g.add_argument('--mon-port', type=int, default=8765, metavar='PORT', help='HTTP monitoring port for viewer JSON access')
         g.add_argument('--token-file', type=FileType(encoding='ascii'), metavar='PATH', help='Path to token file')
-        g.add_argument('--ca-file', metavar='PATH', dest='cafile', type=str, help='Path to a file containing the PEM encoding of the server root certificates for tls connections.')
+        g.add_argument('--ca-file', metavar='PATH', dest='cafile', type=str, help='File containing PEM encoded root certificates for SSL/TLS connections. '
+                                                                                  'If this parameter is empty, the default roots will be used.')
         g.add_argument('--http-timeout', type=int, default=5, help='Timeout for blocking socket I/O operations during HTTP(s) queries')
         g.add_argument('--insecure', action='store_true', help='Allow insecure HTTPS fetching')
         g.add_argument('--use-ip', action='store_true', help='Use IP addresses instead of hostnames when connecting to endpoints')

ydb/apps/ydb/CHANGELOG.md

@@ -1,3 +1,4 @@
+* Add options for client certificates in SSL/TLS connections.
 * Add `ydb admin node config init` command to initialize directory with node config files.
 * Add `ydb admin cluster config generate` command to generate dynamic config from static config on cluster.
 * Fixed memory leak in tpcds generator.

ydb/core/driver_lib/cli_base/cli_cmds_db.cpp

@@ -883,6 +883,8 @@ class TClientCommandSchemaTableOptions : public TClientCommand {
         ClientConfig.MaxInFlight = CommandConfig.ClientConfig.MaxInFlight;
         ClientConfig.EnableSsl = CommandConfig.ClientConfig.EnableSsl;
         ClientConfig.SslCredentials.pem_root_certs = CommandConfig.ClientConfig.SslCredentials.pem_root_certs;
+        ClientConfig.SslCredentials.pem_cert_chain = CommandConfig.ClientConfig.SslCredentials.pem_cert_chain;
+        ClientConfig.SslCredentials.pem_private_key = CommandConfig.ClientConfig.SslCredentials.pem_private_key;
     }
 
     template<typename T>

ydb/core/driver_lib/cli_base/cli_cmds_root.cpp

@@ -186,6 +186,7 @@ class TClientCommandRootLite : public TClientCommandRootKikimrBase {
             throw TMisuseException() << message;
         }
         ParseCaCerts(config);
+        ParseClientCert(config);
         config.Address = Address;
 
         if (!hostname) {
@@ -195,6 +196,10 @@ class TClientCommandRootLite : public TClientCommandRootKikimrBase {
         if (config.EnableSsl) {
             CommandConfig.ClientConfig.EnableSsl = config.EnableSsl;
             CommandConfig.ClientConfig.SslCredentials.pem_root_certs = config.CaCerts;
+            if (config.ClientCert) {
+                CommandConfig.ClientConfig.SslCredentials.pem_cert_chain = config.ClientCert;
+                CommandConfig.ClientConfig.SslCredentials.pem_private_key = config.ClientCertPrivateKey;
+            }
         }
     }
 

ydb/core/driver_lib/cli_base/cli_grpc.h

@@ -94,6 +94,8 @@ class TClientGRpcCommand : public TClientCommand {
         ClientConfig.MaxInFlight = CommandConfig.ClientConfig.MaxInFlight;
         ClientConfig.EnableSsl = CommandConfig.ClientConfig.EnableSsl;
         ClientConfig.SslCredentials.pem_root_certs = CommandConfig.ClientConfig.SslCredentials.pem_root_certs;
+        ClientConfig.SslCredentials.pem_cert_chain = CommandConfig.ClientConfig.SslCredentials.pem_cert_chain;
+        ClientConfig.SslCredentials.pem_private_key = CommandConfig.ClientConfig.SslCredentials.pem_private_key;
     }
 
     static int PrepareConfigCredentials(NGRpcProxy::TGRpcClientConfig clientConfig, TConfig& commandConfig) {
@@ -159,4 +161,3 @@ class TClientGRpcCommand : public TClientCommand {
 
 }
 }
-

ydb/core/driver_lib/cli_utils/cli_cmds_root.cpp

@@ -56,11 +56,16 @@ class TClientCommandRoot : public TClientCommandRootKikimrBase {
             config.EnableSsl = endpoint.EnableSsl.GetRef();
         }
         ParseCaCerts(config);
+        ParseClientCert(config);
 
         CommandConfig.ClientConfig = NYdbGrpc::TGRpcClientConfig(endpoint.Address);
         if (config.EnableSsl) {
             CommandConfig.ClientConfig.EnableSsl = config.EnableSsl;
             CommandConfig.ClientConfig.SslCredentials.pem_root_certs = config.CaCerts;
+            if (config.ClientCert) {
+                CommandConfig.ClientConfig.SslCredentials.pem_cert_chain = config.ClientCert;
+                CommandConfig.ClientConfig.SslCredentials.pem_private_key = config.ClientCertPrivateKey;
+            }
         }
     }
 };

ydb/core/driver_lib/cli_utils/cli_cmds_tenant.cpp

@@ -142,6 +142,8 @@ class TTenantClientGRpcCommand : public TTenantClientCommand {
         ClientConfig.MaxInFlight = CommandConfig.ClientConfig.MaxInFlight;
         ClientConfig.EnableSsl = CommandConfig.ClientConfig.EnableSsl;
         ClientConfig.SslCredentials.pem_root_certs = CommandConfig.ClientConfig.SslCredentials.pem_root_certs;
+        ClientConfig.SslCredentials.pem_cert_chain = CommandConfig.ClientConfig.SslCredentials.pem_cert_chain;
+        ClientConfig.SslCredentials.pem_private_key = CommandConfig.ClientConfig.SslCredentials.pem_private_key;
     }
 
     int Run(TConfig &config) override

ydb/core/driver_lib/run/main.cpp

@@ -89,8 +89,11 @@ int MainRun(const TKikimrRunConfig& runConfig, std::shared_ptr<TModuleFactories>
         configParser.SetupGlobalOpts(opts);
         NMsgBusProxy::TMsgBusClientConfig mbusConfig;
         mbusConfig.ConfigureLastGetopt(opts, "mb-");
-        opts.AddLongOption("ca-file", "Path to a file containing the PEM encoding of the server root certificates for tls connections.\n").RequiredArgument("PATH");
+        opts.AddLongOption("ca-file", "File containing PEM encoded root certificates for SSL/TLS connections. If this parameter is empty, the default roots will be used.\n").RequiredArgument("PATH");
         NDriverClient::HideOptions(opts);
+        opts.AddLongOption("client-cert-file", "File containing client certificate for SSL/TLS connections (PKCS#12 or PEM-encoded)").RequiredArgument("PATH");
+        opts.AddLongOption("client-cert-key-file", "File containing PEM encoded client certificate private key for SSL/TLS connections").RequiredArgument("PATH");
+        opts.AddLongOption("client-cert-key-password-file", "File containing password for client certificate private key (if key is encrypted). If key file is encrypted, but this option is not set, password will be asked interactively").RequiredArgument("PATH");
         opts.AddLongOption('s', "server", "Server address to connect (default $KIKIMR_SERVER)").RequiredArgument("ADDR[:NUM]");
         opts.AddLongOption('k', "token", "Security token").RequiredArgument("TOKEN");
         opts.AddLongOption('f', "token-file", "Security token file").RequiredArgument("PATH");
@@ -203,4 +206,3 @@ int ParameterizedMain(int argc, char **argv, std::shared_ptr<NKikimr::TModuleFac
         return 1;
     }
 }
-

ydb/public/lib/ydb_cli/commands/ydb_command.cpp

@@ -29,6 +29,7 @@ TDriverConfig TYdbCommand::CreateDriverConfig(TConfig& config) {
         driverConfig.UseSecureConnection(config.CaCerts);
     if (config.IsNetworkIntensive)
         driverConfig.SetNetworkThreadsNum(16);
+    driverConfig.UseClientCertificate(config.ClientCert, config.ClientCertPrivateKey);
 
     return driverConfig;
 }

ydb/public/lib/ydb_cli/commands/ydb_profile.cpp

@@ -244,6 +244,15 @@ namespace {
         if (profile->Has("ca-file")) {
             Cout << "  ca-file: " << profile->GetValue("ca-file").as<TString>() << Endl;
         }
+        if (profile->Has("client-cert-file")) {
+            Cout << "  client-cert-file: " << profile->GetValue("client-cert-file").as<TString>() << Endl;
+        }
+        if (profile->Has("client-cert-key-file")) {
+            Cout << "  client-cert-key-file: " << profile->GetValue("client-cert-key-file").as<TString>() << Endl;
+        }
+        if (profile->Has("client-cert-key-password-file")) {
+            Cout << "  client-cert-key-password-file: " << profile->GetValue("client-cert-key-password-file").as<TString>() << Endl;
+        }
     }
 }
 
@@ -307,6 +316,15 @@ void TCommandConnectionInfo::PrintInfo(TConfig& config) {
     if (config.CaCertsFile) {
         Cout << "ca-file: " << config.CaCertsFile << Endl;
     }
+    if (config.ClientCertFile) {
+        Cout << "client-cert-file: " << config.ClientCertFile << Endl;
+    }
+    if (config.ClientCertPrivateKeyFile) {
+        Cout << "client-cert-key-file: " << config.ClientCertPrivateKeyFile << Endl;
+    }
+    if (config.ClientCertPrivateKeyPasswordFile) {
+        Cout << "client-cert-key-password-file: " << config.ClientCertPrivateKeyPasswordFile << Endl;
+    }
 }
 
 void TCommandConnectionInfo::PrintVerboseInfo(TConfig& config) {
@@ -382,7 +400,10 @@ void TCommandProfileCommon::GetOptionsFromStdin() {
         {"user", User},
         {"password-file", PasswordFile},
         {"iam-endpoint", IamEndpoint},
-        {"ca-file", CaCertsFile}
+        {"ca-file", CaCertsFile},
+        {"client-cert-file", ClientCertFile},
+        {"client-cert-key-file", ClientCertPrivateKeyFile},
+        {"client-cert-key-password-file", ClientCertPrivateKeyPasswordFile},
     };
     while (Cin.ReadLine(line)) {
         Strip(line, trimmedLine);
@@ -432,6 +453,15 @@ void TCommandProfileCommon::ConfigureProfile(const TString& profileName, std::sh
     if (cmdLine && CaCertsFile) {
         profile->SetValue("ca-file", CaCertsFile);
     }
+    if (cmdLine && ClientCertFile) {
+        profile->SetValue("client-cert-file", ClientCertFile);
+    }
+    if (cmdLine && ClientCertPrivateKeyFile) {
+        profile->SetValue("client-cert-key-file", ClientCertPrivateKeyFile);
+    }
+    if (cmdLine && ClientCertPrivateKeyPasswordFile) {
+        profile->SetValue("client-cert-key-password-file", ClientCertPrivateKeyPasswordFile);
+    }
 
     if (interactive) {
         TString activeProfileName = profileManager->GetActiveProfileName();
@@ -673,7 +703,8 @@ bool TCommandProfileCommon::AnyProfileOptionInCommandLine() {
     return Endpoint || Database || TokenFile || Oauth2KeyFile ||
            IamTokenFile || YcTokenFile ||
            SaKeyFile || UseMetadataCredentials || User ||
-           PasswordFile || IamEndpoint || AnonymousAuth || CaCertsFile;
+           PasswordFile || IamEndpoint || AnonymousAuth || CaCertsFile ||
+           ClientCertFile || ClientCertPrivateKeyFile || ClientCertPrivateKeyPasswordFile;
 }
 
 TCommandCreateProfile::TCommandCreateProfile()
@@ -711,8 +742,17 @@ void TCommandProfileCommon::Config(TConfig& config) {
         .RequiredArgument("STR").StoreResult(&IamEndpoint);
     }
     opts.AddLongOption("ca-file",
-        "Path to a file containing the PEM encoding of the server root certificates for tls connections.")
+        "File containing PEM encoded root certificates for SSL/TLS connections.")
         .RequiredArgument("PATH").StoreResult(&CaCertsFile);
+    opts.AddLongOption("client-cert-file",
+        "File containing client certificate for SSL/TLS connections (PKCS#12 or PEM-encoded).")
+        .RequiredArgument("PATH").StoreResult(&ClientCertFile);
+    opts.AddLongOption("client-cert-key-file",
+        "File containing PEM encoded client certificate private key for SSL/TLS connections.")
+        .RequiredArgument("PATH").StoreResult(&ClientCertPrivateKeyFile);
+    opts.AddLongOption("client-cert-key-password-file",
+        "File containing password for client certificate private key (if key is encrypted). If key file is encrypted, but this option is not set, password will be asked interactively.")
+        .RequiredArgument("PATH").StoreResult(&ClientCertPrivateKeyPasswordFile);
     if (!IsStdinInteractive()) {
         GetOptionsFromStdin();
     }
@@ -1064,8 +1104,14 @@ void TCommandUpdateProfile::Config(TConfig& config) {
     if (config.UseIamAuth) {
         opts.AddLongOption("no-iam-endpoint", "Delete endpoint of IAM service from the profile").StoreTrue(&NoIamEndpoint);
     }
-    opts.AddLongOption("no-ca-file", "Delete path to file containing the PEM encoding of the "
-        "server root certificates for tls connections from the profile").StoreTrue(&NoCaCertsFile);
+    opts.AddLongOption("no-ca-file", "Delete path to file containing the PEM encoded "
+        "root certificates for SSL/TLS connections from the profile").StoreTrue(&NoCaCertsFile);
+    opts.AddLongOption("no-client-cert-file", "Delete path to file containing client certificate "
+        "for SSL/TLS connections").StoreTrue(&NoClientCertFile);
+    opts.AddLongOption("no-client-cert-key-file", "Delete path to file containing PEM encoded client "
+        "certificate private key for SSL/TLS connections").StoreTrue(&NoClientCertPrivateKeyFile);
+    opts.AddLongOption("no-client-cert-key-password-file", "Delete path to file containing password for "
+        "client certificate private key (if key is encrypted)").StoreTrue(&NoClientCertPrivateKeyPasswordFile);
 }
 
 void TCommandUpdateProfile::ValidateNoOptions() {
@@ -1080,21 +1126,21 @@ void TCommandUpdateProfile::ValidateNoOptions() {
         throw TMisuseException() << "You cannot enter authentication options and the \"--no-auth\" option at the same time";
     }
     TStringBuilder str;
-    if (Endpoint && NoEndpoint) {
-        str << "\"--endpoint\" and \"--no-endpoint\"";
-    } else {
-        if (Database && NoDatabase) {
-            str << "\"--database and \"--no-database\"";
-        } else {
-            if (IamEndpoint && NoIamEndpoint) {
-                str << "\"--iam-endpoint\" and \"--no-iam-endpoint\"";
-            } else {
-                if (CaCertsFile && NoCaCertsFile) {
-                    str << "\"--ca-file\" and \"--no-ca-file\"";
-                }
+    auto addMutuallyExclusiveOptionError = [&](bool validationResult, TStringBuf optionName) {
+        if (validationResult) {
+            if (str) {
+                str << ", ";
             }
+            str << "\"--" << optionName << "\" and \"--no-" << optionName << "\"";
         }
-    }
+    };
+    addMutuallyExclusiveOptionError(Endpoint && NoEndpoint, "endpoint");
+    addMutuallyExclusiveOptionError(Database && NoDatabase, "database");
+    addMutuallyExclusiveOptionError(IamEndpoint && NoIamEndpoint, "iam-endpoint");
+    addMutuallyExclusiveOptionError(CaCertsFile && NoCaCertsFile, "ca-file");
+    addMutuallyExclusiveOptionError(ClientCertFile && NoClientCertFile, "client-cert-file");
+    addMutuallyExclusiveOptionError(ClientCertPrivateKeyFile && NoClientCertPrivateKeyFile, "client-cert-key-file");
+    addMutuallyExclusiveOptionError(NoClientCertPrivateKeyPasswordFile && NoClientCertPrivateKeyPasswordFile, "client-cert-key-password-file");
     if (!str.empty()) {
         throw TMisuseException() << "Options " << str << " are mutually exclusive";
     }
@@ -1116,6 +1162,15 @@ void TCommandUpdateProfile::DropNoOptions(std::shared_ptr<IProfile> profile) {
     if (NoCaCertsFile) {
         profile->RemoveValue("ca-file");
     }
+    if (NoClientCertFile) {
+        profile->RemoveValue("client-cert-file");
+    }
+    if (NoClientCertPrivateKeyFile) {
+        profile->RemoveValue("client-cert-key-file");
+    }
+    if (NoClientCertPrivateKeyPasswordFile) {
+        profile->RemoveValue("client-cert-key-password-file");
+    }
 }
 
 void TCommandUpdateProfile::Parse(TConfig& config) {

ydb/public/lib/ydb_cli/commands/ydb_profile.h

@@ -43,7 +43,7 @@ class TCommandProfileCommon : public TClientCommand {
                      TConfig& config, bool interactive, bool cmdLine);
 
     TString ProfileName, Endpoint, Database, TokenFile, Oauth2KeyFile, YcTokenFile, SaKeyFile,
-            IamTokenFile, IamEndpoint, User, PasswordFile, CaCertsFile;
+            IamTokenFile, IamEndpoint, User, PasswordFile, CaCertsFile, ClientCertFile, ClientCertPrivateKeyFile, ClientCertPrivateKeyPasswordFile;
 
     bool UseMetadataCredentials = false;
     bool AnonymousAuth = false;
@@ -141,6 +141,9 @@ class TCommandUpdateProfile : public TCommandProfileCommon {
     bool NoAuth = false;
     bool NoIamEndpoint = false;
     bool NoCaCertsFile = false;
+    bool NoClientCertFile = false;
+    bool NoClientCertPrivateKeyFile = false;
+    bool NoClientCertPrivateKeyPasswordFile = false;
 };
 
 class TCommandReplaceProfile : public TCommandProfileCommon {